If you have a Single Sign-On (SSO) provider which is not Microsoft Entra ID or Google SSO, if your SSO provider supports SAML then you should be able to set this up to provide authentication for your users signing into Genius.
In order to set this up, an Administrator must navigate to Home → Settings → Security Controls. From here you will see the Login Settings section. In this section, update the dropdown for Single Sign-On (SSO) to SAML and fill in the appropriate details before clicking Save.
To get started with our generic SAML interface, we will need a few key pieces of information. You may need to add a new application to your SSO provider in order to authorize access to Genius to utilize SAML for SSO.
-
Login Button Label
- Optional - this is the text that will show on the Sign in with SSO button. Maximum 30 characters. If no text is provided, then the button will display “Sign in with SSO”
- Note: See section on Account Login below for how to set up automatic forwarding to SSO so your users will not need to click a Sign in with SSO button
-
Metadata URL
- Optional - This is your identity provider's metadata URL. If you do not provide the metadata URL then you must provide a login URL and signing certificate.
- E.g. For Okta, you can get this by having an Admin sign in to the Okta Admin app and generate the IDP metadata variable
-
Login URL
- Optional - This is your identity provider's login URL. If you do not provide the login URL, then you must provide a metadata URL.
- E.g. this is the location where the browser would be re-directed to sign in for your users. For Okta, this might be [yourorganization].okta.com. You can sign in to the Okta Admin Dashboard to generate this URL.
-
SAML Signing Certificate
- Optional - This is the PEM Text format x509 Certificate from your identity provider. If you do not provide a signing certificate, then you must provide a metadata URL.
- IMPORTANT: Please remove the BEGIN CERTIFICATE and END CERTIFICATE lines and provide your certificate as as a single line in this text box.
- E.g. For Okta, you can sign in to the Okta Admin Dashboard to generate the x509 Certificate in PEM Text Format.
Once set up to sign in via SAML, your users will be able to sign in to Genius with their credentials from their company account. Please make sure the email for their user in Genius matches the email on their company account or the user may encounter errors when logging in.
Warning: Document Signing
Genius expects both the document and assertion to be signed, which should be a setting you can configure in our identity provider. Not signing both the document and assertaion may lead to an error when setting up and testing out SSO via SAML.
Account Login
If you want your users to be automatically forwarded to login with SSO (so they do not need to click a “Login with SSO button” you'll need to turn off Account Login.
Account Login is the ability to use your old AVOXI Genius credentials to login with the password managed through AVOXI. Once SSO is enabled, ideally you should turn off Account Login as that will automatically forward your users to sign in with your SSO provider when they attempt to login.
You may want to leave Account Login enabled if you have additional accounts which are not directly tied to a user that you use. These might be things like Administrative accounts or Integration accounts which are not representative of a specific person.
